Storing a Secure Password

[dirkfirst]

I'm creating a new database application (although I'm just winging my way through it). The application allows users to login and creates a session. Now, my question is what is the best way to store these user passwords in a database? Is there a one-way encryption method?

[Dan]

Are you using PHP, or PHP combined with MYSQL?

[dirkfirst]

PHP and MySQL

[Dan]

Pretty complex stuff and not something I have ever done custom, but I've fished out some info for you:

MYSQL Password hashing - should be what you need?

Quote:

It really depends on what your business is and you must decide for yourself what lengths you need to go to for your users protection. The key is to take all reasonable measures to protect the data. This is where the fun of personal privacy laws come into play. Also remember that you are only legally allowed to require information from your user which you NEED to do business with them.

So...

Your user must enter said information and you are going to store it. How are you going to protect their information? You need the information to be accessible by the person who entered it and only the person who entered it. This would require some information that only the user knows. How can you acquire this information and how can you store it.

HTTPS

Again, this depends on what type of information you will be storing. The first thing involved is to get a secure certificate for your site and only transfer sensitive, or personal, user data over an encrypted connection. I have always gotten secure certs from Thawte and always been satisfied. One thing to note is the form itself does not need to be under https but any form action does. As long as the form action is https then the secure connection is established before any data is sent. I've spent a lot of time sniffing this scenario to be sure that it is 100% true.

User Account Access

There will need to be a way for users to access their account. Most often this will consist of a username and a password. Usernames should be unique. This will allow the username password combination to be unique and be the first line of protection against account hijacking. Depending on the type of data you are storing, two fields that make up your unique combination may not be enough but for our explanation here we will use only the two fields.

password Protection

I realize I am only now getting to the heart of your question but, in truth, all of these things play a prt in it.

passwords should never be stored on your system in plain text or in a decryptable form. MD5 is a one way encryption and is an acceptable method of storing passwords. There is absolutely no need for your users passwords to be accessible by you or anyone who works for your organization. A password can always be reset by the user or by you or your employees. You must encrypt the password when it is received and then store the encrypted password in your database. This makes sure that the password is useless in the form in which it is accessed straight from the database.

Your form that takes the password should post to script which does something similar to the following. Ensuring the username is unique and that the password is protected.

Code:

$sql = "select * from usertable where username='" . $_POST['username'] . "'"; 
$result = mysql_query($sql); 
if (mysql_num_rows($result) >= 1) { 
 $error = "please enter another username"; 
 include "userform.php"; 
 exit(); 
} else { 
 $username = $_POST['username']; 
 $userpass = md5($_POST['userpass']); 
 $sql = "insert into usertable values('$username','$userpass')"; 
 mysql_query($sql); 
 include "postregister.html"; 
}

You now have a stored password which is useless to you and only usable to the user through your login form.

User Login

Sessions or cookies are good methods to keep your user logged in and to be able to recognize them in your scripts. You must put some thought into how you are going to do your authentication and how you are going to stop the ability to hijack active sessions or hijack cookies.

A simple login script may go something like the following. Once again the form you use for your login should have an action that is under https or be under https itself. I will use a session based example.

Code:

session_start(); 
$username = $_POST['username']; 
$userpass = md5($_POST['userpass']); 
$sql = "select * from usertable where username='$username' and password='$userpass'"; 
$result = mysql_query($sql); 
if (mysql_num_rows($result)!= 1) { 
 $error = "Login failed"; 
 include "loginform.php"; 
} else { 
 $_SESSION['username'] = "$username"; 
 $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; 
 // any other data needed to navigate the site or 
 // to authenticate the user can be added here 
 include "membersection.php"; 
}

User Authentication

Now an important factor is to be able to reliably recognize the user once they have logged in and to make sure that user is using their own session. In our above example we included the ip of the user to add some extra security. An authentication script would need to be included at the top of the page on every single page inside the members section of your site.

A simple authentication script could be as follows.

Code:

session_start(); 
$newip = $_SERVER['REMOTE_ADDR']; 
if (!isset($_SESSION['username']) ¦¦  
empty($_SESSION['username']) ¦¦ $newip!= $_SESSION['ip']) { 
 include "logout.php"; 
}

All of the above scripts are very simple and greater means may need to be taken to protect and authenticate your users but those three scripts are the basis of a user management system. You would also need to provide a method for your users to reset and acquire their passwords if need be. passwords should always be reset in some random fashion and then the user should be forced to change it before they continue using your site.

[John]

Without reading all of dan's information (cuz im lazy) the best wat to store passwords is using the md5 encryption method. PHP even has its own function:
md5()

PHP Code:

<?php
$unencrypted_password = "test";
$encrypted_password = md5($unencrypted_password);
echo $encrypted_password;
?>

Thats a simple script that shows how the password "test" would be stored if you use md5 encryption.

[Dan]

Yes, the information I provided outlines md5 password encryption but a little bit more complex than sidewinders, correct code.

[crocodile]

md5 twice is better for your password safe

[TkTech]

crocodile, md5 twice wont matter from md5 once. No one yet has broken md5 and the current brute forcers are bloated, slow, and absolutly pathetic.

PS. crocodile I blanked your signature, mainly cause its md5 "cracking" site.